8-stable ZFS ACL (NFSv4): Access disallowed when it should be by
inheritance
Eugene M. Kim
20080111.freebsd.org at ab.ote.we.lv
Fri Apr 30 23:43:59 UTC 2010
Greetings,
I am experimenting with NFSv4 ACLs on ZFS, and am baffled by the
following behavior:
--- BEGIN TRANSCRIPT ---
purple# uname -a
FreeBSD purple.the-7.net 8.0-STABLE FreeBSD 8.0-STABLE #1: Mon Mar 29
19:22:00 PDT 2010
ab at purple.the-7.net:/home/FreeBSD/build/RELENG_8/obj/home/FreeBSD/build/RELENG_8/src/sys/PURPLE
i386
purple# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
purple# ls -ld .
drwxr-xr-x 2 root wheel 2 Apr 30 16:15 .
purple# getfacl .
# file: .
# owner: root
# group: wheel
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
purple# setfacl -a0 user:ab:rwxpRWcs:fi:allow .
purple# getfacl .
# file: .
# owner: root
# group: wheel
user:ab:rwxp----RWc--s:f-i---:allow
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
purple# touch root-f
purple# ls -ld root-f
-rw-r--r--+ 1 root wheel 0 Apr 30 16:16 root-f
purple# getfacl root-f
# file: root-f
# owner: root
# group: wheel
user:ab:-wxp----------:------:deny
user:ab:rwxp----RWc--s:------:allow
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
purple# sudo -u ab cat root-f
purple# sudo -u ab touch root-f
touch: root-f: Permission denied
purple# sudo -u ab ./root-f
sudo: ./root-f: command not found
purple#
--- END TRANSCRIPT ---
The intention here is to allow read/write/append/execution of files
created under the current directory (root:wheel 0755). However, as seen
in the third getfacl output, the ACL of the created file (root-f)
contains not just the inherited ACE (user:ab:rwxpRWcs::allow) but also
another ACE (user:ab:wxp::deny) before the inherited ACE, which causes
the touch(1) and execution of the created file to fail.
Why does this happen?
Regards,
Eugene
More information about the freebsd-fs
mailing list